The Transmission Control Protocol (TCP) TCP is a protocol that specifies: –How to distinguish among multiple destinations on a given machine –How to initiate and terminate a stream transfer –Format of the data and acknowledgments that two computers exchange to achieve a reliable transfer –Procedures the computers use to ensure that the data arrives correctly
Establishing a TCP Connection The 3-way handshake –Guarantee that both sides are ready for connection –Allows both sides to agree on initial sequence numbers Receive SYN Site 1NetworkSite 2 Send SYN seq=x Send SYN seq=y, ACK x+1 Send ACK y+1 Receive SYN&ACK Receive ACK
SYN Flood After the second message has been sent but before the third message has been received the connection is “half opened” –Most hosts store these half-opened connections in a fixed-size table while they await the third message –Half-opened connections are timed out after after half a minute or so
SYN Flood (cont) Attacker attempts to: –Fill up the half-opened connection table Attacker sends the victim machine a large number of SYN segments with spoofed source addresses (to nonexistent or unreachable hosts) Produces a large number of half-opened connections at the victim’s machine that will never become fully open The half-opened connection table fills and no new connections can be accepted until space is available –Keep it full Continue sending SYN segments to replace half-open connections as they time out Result: the victim host cannot accept any other, legitimate attempts to open a connection
Land Attack tool exploits a vulnerability in certain TCP implementations Attacker creates an invalid TCP SYN segment: –Spoofed source address is identical to the destination address –Source port is identical to the destination port Causes some TCP implementations to freeze or crash Fixed with software patches
Tribe Flood Network (TFN) Distributed denial of service attack tool –Newer versions have been developed (TFN2K, TFN3K, Stacheldraht) –Used in February, 2000 to attack several major e-commerce sites on the Web Similar to trinoo: –Daemon programs: listen for and execute commands from a master –Master programs Control a number of daemons Communicate with an attacker and pass his/her commands on to daemons
TFN (cont) “Improvements” over trinoo: –Random protocol (TCP, UDP, or ICMP) for communication between master and daemons –Can send out “decoy” packets to random IP addresses to obscure the true target of the attack –Daemons spoof the source IP address in the attack packets they send –Daemons can attack multiple targets –Wider variety of attacks
TFN (cont) Daemon attack strategies: –UDP flood (like with trinoo) –TCP SYN flood –ICMP ping flood –ICMP directed broadcast flood (smurf) –All of the above
Attacks Against Initial Sequence Numbers Recall: the 3-way handshake allows two communicating parties to agree on Initial Sequence Numbers (ISNs) What if the ISN can be guessed by a third-party?
Attacks Against ISNs (cont) If the ISN of an existing or future TCP connection can be determined an attacker may be able to: –Complete a 3-way handshake using a spoofed source IP address –Close an ongoing connection –Hijack an ongoing connection
Scans and Probes Attackers typically engage in a variety of reconnaissance activities before attacking: –To identify important/interesting hosts –To identify potential vulnerabilities that could be exploited A port scanner is a program that tries to determine which ports have programs listening on them Example: –Attempts to open a TCP connection to each port in order –If a connection is made then immediately close it and record the fact that the port is open –If the connection fails then the port is closed
Port Scanning (cont) Using fully-open connections to scan is likely to draw a lot of attention to the scan –Most hosts log: Each attempt to connect to a closed port Each time a newly-opened connection is closed with little or no data having been sent Clandestine scanning methods: –SYN scan: A SYN segment is sent to each port and any port that responds with a SYN+ACK segment is opened Instead of completing the handshake, a RST (reset) segment is sent to close the connection before it is fully opened Some hosts do not log half-opened connections
Closing a TCP Connection Applications should close a connection when they have no more data to transmit Connection can be closed in either one or both directions –Site 1 finishes transmitting data and waits for ACK from site 2 –Site 1 transmits a segment with the FIN bit set –Site 2 acknowledges the FIN segment –Site 2 notifies the application that no more data is coming –Data can still be transmitted from site 2 to site 1 –Site 1 will still receive and acknowledge data from site 2 –Eventually, site 2 will finish transmitting and close its connection –Both endpoints delete record of the connection
Closing a TCP Connection (cont) Site 1NetworkSite 2 Send FIN seq=x Receive FIN Send ACK x+1 Receive FIN&ACK Receive ACK Send FIN seq=y, ACK x+1 Send ACK y+1 Receive ACK (app closes connection) (inform application) (app closes connection)
TCP Connection Reset Applications normally close connections Sometimes abnormal conditions arise that break a connection Broken connections can be reset: –Site 1 sends a segment with the RST bit set –Site 2 receives segment and aborts the connection –Transfers in both directions cease immediately –Resources for the connection are released –Applications programs are informed
Forcing Data Delivery TCP divides the stream of octets into segments for transmission This improves efficiency since octets can be buffered until a good-sized segment can be sent TCP provides a push operation for applications that want to force delivery of octets –Set PSH bit –Send segment
Reserved TCP Port Numbers Like UDP: –Static port bindings for commonly used services Ports are reserved –Dynamic port bindings Port numbers over 1024 Port numbers for services accessible by both UDP and TCP usually match –ECHO (7) –TIME (37)
Reserved TCP Port Numbers
TCP Performance Silly Window Syndrome –Sender generates data quickly –Receiver reads incoming data one octet at a time SenderReceiver
TCP Performance (cont) Silly Window Syndrome –Each ACK advertises a small amount of space –Each segment carries a small amount of data Problems: –Poor use of network bandwidth –Unnecessary computational overhead
TCP Performance (cont) Avoiding Silly Window Syndrome –Use heuristics at sender to avoid transmitting a small amount of data in each segment –Use heuristics at receiver to avoid sending small window advisements Receive-side silly window avoidance –Monitor receive window size –Delay advertising an increase until a “significant” increase is possible “Significant” = min(half the window, maximum segment size)
Receive-Side Silly Window Avoidance Example Receive 6 octets, send ACK 7 with window advisement of 0 Application reads one octet Send window advisement of 3, receive 3 octets
Receive-Side Silly Window Avoidance Two approaches: –Receiver can ACK received octets but does not advertise an increase in its window until the increase is significant –Receiver can not send ACKs when the window is not large enough to advertise Advantages/disadvantages?
Send-Side Silly Window Avoidance Goal: avoid sending small segments Application can generate data in small blocks TCP must collect data sent by application into a single large segment (clump) for transmission TCP must delay sending a segment until it contains a reasonable amount of data How long should TCP wait before transmitting data?
Send-Side Silly Window Avoidance (cont) The Nagle Algorithm: –Application generates data to be sent over a connection that has already transmitted some data If all previous transmissions have been acknowledged send the data immediately If any ACKs are still pending do not transmit until: –Maximum segment size is reached, or –An ACK arrives Self-clocking - does not compute delays Applies even if the application requests a push
TCP Summary Provides reliable stream delivery service –Full duplex –Out-of-band for urgent data Makes efficient use of the network –Piggybacking –Sliding windows Efficiency End-to-end flow control –Acknowledgment and retransmission –Congestion recovery/avoidance